Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-34486EXPLOITEDPATCHED

apache · tomcat

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

Description

A vulnerability marked as problematic has been reported in Apache Tomcat up to 9.0.116/10.1.53/11.0.20. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing encryption of sensitive data. This vulnerability is referenced as CVE-2026-34486. Remote exploitation of the attack is possible.

Affected Products

Vendor	Product	Versions
apache	tomcat	11.0.20, 10.1.53, 9.0.116

References

https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly(vendor-advisory)

Related News (2 articles)

Tier C

oss-security6h ago

CVE-2026-34486: Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

→ No new info (linked only)

Tier C

VulDB9h ago

CVE-2026-34486 | Apache Tomcat up to 9.0.116/10.1.53/11.0.20 missing encryption

→ No new info (linked only)

CVSS 3.17.5 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly

CWECWE-311

PublishedApr 9, 2026

Last enriched9h agov2

Trending Score57

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXP

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

HIGHCVE-2026-27314EXP

Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

HIGHCVE-2025-62188EXP

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

LOWCVE-2026-34487EXP

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

LOWCVE-2026-34483EXP

Apache Tomcat: Incomplete escaping of JSON access logs

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Actively Exploited

Apr 9, 2026

Patch Available

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity, cvssEstimate, activelyExploited

Apr 9, 2026

Version History

v2

Last enriched 9h ago

v2Tier C9h ago

Updated description with new details, changed severity to HIGH, set CVSS estimate to 7.5, and marked the vulnerability as actively exploited.

descriptionseveritycvssEstimateactivelyExploited

via VulDB

v19h ago

Initial creation